The Computer Incident Advisory Capability (CIAC)
E. Eugene Schultz, Jr.
Lawrence Livermore National Laboratory
By now you have probably read one or more bulletins from the DOE
Center for Computer Security beginning with the phrase: "The Computer
Incident Advisory Capability (CIAC) at LLNL has learned that..." You
may have wondered exactly what CIAC is, and what it does. This
article will introduce the CIAC effort, explain why CIAC was formed
and what its goals are, describe the composition of the CIAC team, and
finally explain how CIAC operates.
Why CIAC Was Formed
Until recently, most computer security events affecting U.S.
Government computer systems could be described as either hacker
incidents or the result of some kind of internal sabotage. Events
occurring over the last two years, however, suggest a changing pattern
of attacks on U.S. Government systems. Hacker attacks are becoming
more sophisticated, as shown by the West German hacker attacks in
1987-88, and by the December, 1988 hacker attacks on Lawrence
Livermore National Laboratory. Still, hacker attacks are becoming
increasingly passe'. There is a new "badge of honor" associated with
ability to perpetrate new forms of attack--viruses, worms, and Trojan
horses. The Internet worm of November, 1988 received substantial
national attention, and awoke computer security experts to the
potea "non-traditional" and unlikely form of attack. In addition, the
potential motivation of those hostile to the United States to disable
defense-related computer systems during times of critical need by
using time bombs, worms, etc. poses another dimension of problems for
computer security experts within the defense arena.
As the number and complexity of computer security problems grow, DOE's
need to respond efficiently to computer security problems becomes
greater. The DOE Community currently has over 100,000 computers
located at over 70 classified and unclassified sites. A central
capability for analyzing events, coordinating technical solutions,
ensuring that necessary information is conveyed to those who need such
information, and training others to deal with computer security
incidents is essential. At DOE Headquarters, the Office of Safeguards
and Security (OSS) and the Office of Automated Data Processing
Management (OADPM) recognized the need for a central response
capability even before the Internet worm. These offices provided
funding to Lawrence Livermore National Laboratory to develop a response
effort, the Computer Incident Advisory Capability (CIAC) Team. This
team will provide the DOE community with 24-hour capability to
efficiently and rapidly handle computer security events.
Goals of the CIAC Effort
The CIAC effort is a continuing, multi-year effort to meet DOE
computer security response needs in both classified and unclassified
systems. The goals and objectives of this effort include the
following, listed in order of priority:
1. Assistance to DOE Sites in Handling Computer Security Events
The CIAC team will provide assistance to DOE sites which request such
assistance, or when DOE directs the team to assist. This activity
includes assessing the nature and extent of any damage to systems,
helping those faced with an event to contact key people and
organizations, coordinating technical efforts to develop and collect
software "patches," advising site personnel how to perform damage
control and recovery procedures, and providing direct technical
expertise to sites which lack the types of expertise necessary to
handle a particular event.
2. Establishing a Response Center
CIAC will establish and maintain an office at LLNL that will become
the center for conducting team activities, including helping other DOE
sites handle events. The center will also house the computers and
other hardware needed to handle communications with DOE sites.
3. Developing Vital Computer and Communications Capabilities
CIAC needs to communicate with DOE sites during events and at other
times. Some events will be infectious attacks which will rapidly
spread to other systems at the site which is attacked as well as other
sites. CIAC, therefore, will (through the DOE Center for Computer
Security) alert others of infectious attacks, system vulnerabilities,
and so on, so that appropriate measures can be taken. Appropriate
measures might include shutting down gateway machines, temporarily
disconnecting networks, making quick changes to system software, and
so forth. CIAC will establish electronic communication capability with
DOE sites, so that CIAC can take actions such as sending and receiving
electronic mail from numerous sites, and sending and receiving patches
and technical data. CIAC will also develop a capability for allowing
staff from other DOE sites to quickly obtain information about CIAC's
response efforts, technical solution developments during an event,
CIAC training and awareness programs, and other important information.
4. Establishing a Clearinghouse of Information on Computer Security
Events
CIAC will develop databases on previous incidents, known viruses and
worms, known vulnerabilities of systems, and key people to contact.
The CIAC staff will be able to readily retrieve or archive any
desired information from each database.
5. Developing Cooperative Procedures within DOE, with Other Federal
Agencies, and Vendors
A coordinated response capability is essential. CIAC accordingly is
developing cooperative procedures with the DOE Center for Computer
Security and Federal agencies such as the FBI, and DARPA's Computer
Emergency Response Team (CERT). CIAC is also working with vendors to
learn of security holes and fixes, and will work with vendors to
ensure that they either fix problems with their products or allow
third parties access to source code so that concerned customers can
create fixes.
6. Developing Guidelines for Responding to Events
CIAC will develop recommended procedures that both CIAC and technical
personnel at DOE sites can follow. These procedures include
managerial as well as technical guidance for event handling. CIAC
will define and prioritize classes of events, so that CIAC can provide
assistance where it is most needed. These procedures will be
consistent with the DOE Orders pertinent to incident handling, and
will contain the necessary details to solve technical problems,
conduct coordinated efforts, and preserve evidence which may be
important in follow-up prosecution.
7. Developing Software Tools for Event Handling
CIAC will determine which software tools can facilitate responding to
events. CIAC Team members can then design and implement these tools,
or coordinate the development of such tools by others. Candidate
tools include anti-virus programs, software for monitoring intrusions,
tools for detection and recording capabilities, incident analysis and
reverse engineering tools, and tools for real-time notification.
8. Providing an Analysis Capability
CIAC will analyze known events to categorize events,determine trends,
determine which preventative measures are effective, and so forth.
Ultimately, CIAC will develop models of attacks and eradication
methods based on what is learned from this analysis activity.
9. Conducting a Training and Awareness Function
The CIAC team will cooperate with the DOE Center for Computer Security
to conduct workshops and training seminars. In addition, the CIAC
team will conduct its own regional training workshops devoted
specifically to responding to incidents. The team will also
disseminate information about useful software tools to promote
computer security and to facilitate incident handling.
The CIAC Team
The CIAC team currently consists of two full-time and one part-time
staff. CIAC will be ramped to four full-time team members by October,
1989 to form the core response capability. The part-time individual
will also continue to be available to help during computer security
events. In addition to a team leader, Eugene Schultz, the core team
will include two specialists in operating systems and one in
networking. One UNIX specialist, Ana Maria De Alvare', is already
part of the team. We anticipate adding expertise in VMS, MVS, the
Macintosh Operating System, and/or other environments when we hire a
second operating systems specialist.
Because the CIAC team is currently small, the team has been incredibly
busy! We have provided information and fixes to sites infected by
viruses. Many of you have called us because you suspected that one or
more of your site's machines has been affected. We have also been
learning of vulnerabilities and relaying vulnerability information to
the Center for Computer Security for distribution. Some of you have
called us asking for information to be incorporated into your site's
training programs, and others have asked us to critique your site's
incident handling procedures. We should have an initial version of
our guidelines for incident handling available shortly.
CIAC Operations
Although many issues are currently unresolved, a number of CIAC's
operating procedures and plans have been determined. CIAC will, for
example, be the point of initial contact for sites requesting
assistance. (How to contact CIAC is described at the end of this
article.) Sites needing CIAC assistance may also be referred to CIAC
by DOE and/or the Center for Computer Security. If there are
significant threats and vulnerabilities which may affect other sites,
CIAC will inform the Center for Computer Security, which will notify
CPPCs, CSSOs, CPPMs, and CSSMs. CIAC, meanwhile, will analyze the
event and will attempt to develop or obtain any fixes needed. Once
CIAC has verified any fixes, it will inform DOE sites that the fixes
are available, and will distribute them. Any fix represents CIAC's
best attempt at a solution threats at DOE sites. Because CIAC is not
a software development
capability, however, CIAC will not assume liability for any fixes it
creates and/or distributes.
When a site calls CIAC, CIAC will not reveal the identity of that site
unless the management of that site gives CIAC permission to do so. If
an incident is reportable to DOE under the applicable regulations, it
is the responsibility of the site to immediately report the incident
in the appropriate manner. When there is a reportable incident or
substantial evidence that more than one DOE or other Federal site
could be adversely affected by an event at a DOE site, the CIAC team
leader will inform the management of that site of the need to
immediately report the situation through appropriate channels. CIAC
will under these circumstances take no further action until the site
has complied with reporting procedures.
DOE's current policy is not to charge sites for CIAC services.
However, events requiring extensive time and travel on the part of
CIAC staff may require negotiation between DOE Headquarters and the
site.
Several significant events may sometimes occur simultaneously. Under
these conditions, DOE will assist CIAC in determining action
priorities.
Conclusion
CIAC is a relatively new concept. Other Federal agencies have formed
or are forming incident response teams, but currently CIAC is one of
the first of two such teams. CIAC is already working hard to help
sites respond to computer security events. CIAC is also working to
bring together the many technical resources existing within DOE, to
improve our ability to respond to events. Finally, CIAC can enable
sites to adopt proactive measures to reduce threats and
vulnerabilities, and to make responding to events more efficient. CIAC
is constantly discovering information about vulnerabilities and
computer security events which could impact DOE sites--it is, in one
sense, your "listening post" and early warning center.
A support effort like CIAC cannot function without assistance from the
DOE community. There are several things you can do to help CIAC.
Having your site establish a link to Internet would make the process
of distributing and receiving binary and ASCII patches considerably
easier and faster for everyone. If you are a CPPM, CSSM, CPPC or
CSSO, and your phone number, FAX number, or electronic mail address
changes, we would appreciate your keeping us advised any such changes.
Finally, if you request a fix on diskette, please ask for only one
copy for your site. Your making your own duplicates will save us
time, so that we can serve the DOE community better.
You can contact CIAC* by:
e-mail. . . . . ciac@.llnl.gov
phone . . . . . (510) 422-8193/FTS
FAX . . . . . . (510) 423-8002/FTS
SKYPAGE . . . . 1-800-SKYPAGE PIN(855-0070) or PIN(855-0074)
*NOTE; contact information updated January 25, 1993 by Marvin Christensen.